Add files via upload

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.

cluster.tf

@@ -0,0 +1,73 @@
+resource "aws_ecs_cluster" "my_cluster" {
+  name = "${var.name}-ecs"
+}
+
+resource "aws_cloudwatch_log_group" "my_logs" {
+  name = "${var.name}-logs"
+}
+
+resource "aws_security_group" "my_security_group" {
+  description = "Allow workload to reach internet"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_security_group_rule" "my_egress_rule" {
+  type              = "egress"
+  protocol          = "all"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.my_security_group.id
+}
+
+resource "aws_iam_role" "my_execution_role" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+#####
+# Create ECS Task
+#####
+
+resource "aws_ecs_task_definition" "my_task_definition" {
+  family             = "${var.name}-workload"
+  execution_role_arn = aws_iam_role.my_execution_role.arn
+
+  cpu                      = "256"
+  memory                   = "1024"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+
+  container_definitions = data.sysdig_fargate_workload_agent.instrumented.output_container_definitions
+}
+
+#####
+# Deploy app on ECS cluster
+#####
+
+resource "aws_ecs_service" "my_service" {
+  name = "${var.name}-service"
+
+  cluster          = aws_ecs_cluster.my_cluster.id
+  task_definition  = aws_ecs_task_definition.my_task_definition.arn
+  desired_count    = 1
+  launch_type      = "FARGATE"
+  platform_version = "1.4.0"
+
+  network_configuration {
+    subnets          = var.subnets
+    security_groups  = [aws_security_group.my_security_group.id]
+    assign_public_ip = true
+  }
+}

javaapp-deployment.yaml

@@ -0,0 +1,47 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: javaapp
+  labels:
+    name: java-deployment
+    app: demo
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: demo
+      name: javaapp
+      role: jfrontend
+  template:
+    metadata:
+      labels:
+        app: demo
+        name: javaapp
+        role: jfrontend
+    spec:
+      containers:
+        - name: javaapp
+          image: ltagliamonte/counterapp
+          env:
+          - name: MONGO
+            value: mongo.java-app.svc.cluster.local
+          - name: CASSANDRA
+            value: cassandra.java-app.svc.cluster.local
+          - name: REDIS
+            value: redis.java-app.svc.cluster.local
+          ports:
+          - containerPort: 8080
+            name: java
+          livenessProbe:
+            httpGet:
+              path: /simpleWebJava/TestServlet
+              port: 8080
+            initialDelaySeconds: 120
+            timeoutSeconds: 5
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"

orchestrator-agent.tf

@@ -0,0 +1,17 @@
+module "fargate-orchestrator-agent" {
+  source          = "sysdiglabs/fargate-orchestrator-agent/aws"
+  version         = "0.3.1"
+
+  name             = "${var.name}-orchestrator"
+
+  vpc_id           = var.vpc_id
+  subnets          = var.subnets
+
+  assign_public_ip = true  # if using Internet Gateway
+
+  collector_host   = var.collector_host
+  collector_port   = var.collector_port
+  access_key       = var.sysdig_access_key
+  #access_key       = "arn:aws:secretsmanager:us-east-1:059797578166:secret:giri-sysdig-json-EJCDBF:SysdigAccessKey::"
+  check_collector_certificate = "false"
+}

sysdig-agent-daemonset-v2.yaml

@@ -0,0 +1,134 @@
+### WARNING: this file is supported from Sysdig Agent 0.80.0
+# apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: sysdig-agent
+  labels:
+    app: sysdig-agent
+spec:
+  selector:
+    matchLabels:
+      app: sysdig-agent
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: sysdig-agent
+    spec:
+      volumes:
+      - name: modprobe-d
+        hostPath:
+          path: /etc/modprobe.d
+      - name: osrel
+        hostPath:
+          path: /etc/os-release
+          type: FileOrCreate
+      - name: dshm
+        emptyDir:
+          medium: Memory
+      - name: dev-vol
+        hostPath:
+          path: /dev
+      - name: proc-vol
+        hostPath:
+          path: /proc
+      - name: boot-vol
+        hostPath:
+          path: /boot
+      - name: modules-vol
+        hostPath:
+          path: /lib/modules
+      - name: usr-vol
+        hostPath:
+          path: /usr
+      - name: run-vol
+        hostPath:
+          path: /run
+      - name: varrun-vol
+        hostPath:
+          path: /var/run
+      # Uncomment these lines if you'd like to map /root/ from the
+      # host into the container. This can be useful to map
+      # /root/.sysdig to pick up custom kernel modules.
+      #- name: host-root-vol
+      #  hostPath:
+      #    path: /root
+      - name: sysdig-agent-config
+        configMap:
+          name: sysdig-agent
+          optional: true
+      - name: sysdig-agent-secrets
+        secret:
+          secretName: sysdig-agent
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      hostPID: true
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+      # The following line is necessary for RBAC
+      serviceAccount: sysdig-agent
+      terminationGracePeriodSeconds: 5
+      containers:
+      - name: sysdig-agent
+        image: sysdig/agent
+        imagePullPolicy: Always
+        securityContext:
+          privileged: true
+        resources:
+          # Resources needed are subjective to the actual workload.
+          # Please refer to Sysdig Support for more info.
+          requests:
+            cpu: 600m
+            memory: 512Mi
+          limits:
+            cpu: 2000m
+            memory: 1536Mi
+        readinessProbe:
+          exec:
+            command: [ "test", "-e", "/opt/draios/logs/running" ]
+          initialDelaySeconds: 10
+        # This section is for eBPF support. Please refer to Sysdig Support before
+        # uncommenting, as eBPF is recommended for only a few configurations.
+        #env:
+        #  - name: SYSDIG_BPF_PROBE
+        #    value: ""
+        volumeMounts:
+        - mountPath: /etc/modprobe.d
+          name: modprobe-d
+          readOnly: true
+        - mountPath: /host/dev
+          name: dev-vol
+          readOnly: false
+        - mountPath: /host/proc
+          name: proc-vol
+          readOnly: true
+        - mountPath: /host/boot
+          name: boot-vol
+          readOnly: true
+        - mountPath: /host/lib/modules
+          name: modules-vol
+          readOnly: true
+        - mountPath: /host/usr
+          name: usr-vol
+          readOnly: true
+        - mountPath: /host/run
+          name: run-vol
+        - mountPath: /host/var/run
+          name: varrun-vol
+        - mountPath: /dev/shm
+          name: dshm
+        - mountPath: /opt/draios/etc/kubernetes/config
+          name: sysdig-agent-config
+        - mountPath: /opt/draios/etc/kubernetes/secrets
+          name: sysdig-agent-secrets
+        - mountPath: /host/etc/os-release
+          name: osrel
+          readOnly: true
+        # Uncomment these lines if you'd like to map /root/ from the
+        # host into the container. This can be useful to map
+        # /root/.sysdig to pick up custom kernel modules.
+        #- mountPath: /root
+        #  name: host-root-vol